Pwn2Own hacking contest puts record $560K on the line

HP TippingPoint, the long-time organizer of the annual Pwn2Own hacking contest, has revamped the challenge for the second year running and will offer cash awards exceeding half a million dollars, more than five times the amount paid out last year, the company said yesterday.

The 2013 edition of the contest will offer $560,000 in potential prize money to hackers who demonstrate exploits of previously-unknown vulnerabilities in Chrome, Firefox, Internet Explorer (IE) or Safari, or the Adobe Reader, Adobe Flash or Oracle Java browser plug-ins.

At Pwn2Own, hackers compete for cash prizes by finding exploits in browsers, operating systems, and other software.

Prizes will be awarded on a sliding schedule, with $100,000 for the first to hack Chrome on Windows 7 or IE10 on Windows 8. From there, payments will fall to $75,000 for IE9 and slide through a number of targets before ending at $20,000 for Java. Prizes will also be given for exploiting Adobe Flash and Adobe Reader ($70,000 each), Safari ($65,000) and Firefox ($60,000).

About the Java award, Kostya Kortchinsky, a researcher who now works for Microsoft, quickly tweeted, “ZDI giving out $20k for free,” referring to the Oracle software’s recent vulnerabilities.

Pwn2Own will run March 6-8 at the CanSecWest security conference in Vancouver, British Columbia.

According to Brian Gorenc, a researcher with TippingPoint’s DVLabs, HP will sponsor this year’s Pwn2Own in conjunction with Google. Last year, Google was initially a co-sponsor, but withdrew over disagreements with TippingPoint about that year’s rules.

Google then ran its own hacking contest, dubbed Pwnium, at CanSecWest, where it handed out $120,000 to two researchers for exploiting Chrome.

This year’s contest is another revamp of the process and rules, the second in two years. The 2012 challenge used a complicated point system that awarded prizes to the researcher or team of researchers who exploited the most targets during a three-day stretch. It also challenged hackers to devise exploits on the spot.

With 2013’s Pwn2Own, TippingPoint has essentially dumped last year’s model and returned to earlier contest rules: Researchers will draw their order of appearance before the contest begins, each will have 30 minutes to try his or her luck, and the first to exploit a given target wins the prize.

Another change from last year is that researchers must provide TippingPoint with a fully-functional exploit and all the details of the vulnerability used in the attack. That’s different from last year, when Google backed out because Pwn2Own did not require hackers to divulge full exploits, or all of the bugs used, so that vendors, including Google, could then fix the flaws.

The rule changes and the large infusion of cash hint that Google returned to Pwn2Own sponsorship only after it convinced TippingPoint to revise the exploit disclosure policy. Yesterday, Google declined to comment on whether it would again run a Pwnium contest at CanSecWest, but did confirm it will host its Chrome-specific challenge at some point in 2013.

But it was the cash that caught researchers’ attention.

The $100,000 prize for an exploit of Chrome or IE10, for example, was 67 percent more than Google paid last year in its inaugural Pwnium contest, and over six times the maximum paid at Pwn2Own in 2011 for hacking a desktop browser.

“I have to say the Pwn2Own prize money is serious,” Miller said on Twitter Thursday. “I feel like a 1950’s pro athlete wondering why current athletes are paid so much.”

Miller, who won at Pwn2Own while a security consultant, now works for Twitter.

Others took up Miller’s line of thought, with Larry Seltzer, a long-time security reporter and now the editorial director of Byte, chiming in with, “They’re all using exploit-enhancing drugs these days.”